National Aeronautics and Space Administration 



Space Systems Protection in a 
Cyber-Risk Environment 


Jason A. Soloff 

NASA Lyndon B. Johnson Space Center 
Houston, TX ^ 


Presented at the University of Houston Clear Lake 

Cyber Security Institute 

Cyber Security Collaboration Forum 

April 8, 2013 


Topics 




• NASA’s position and exposure 

• Cyber is “nothing new” 

• Space viewed from a Cyber perspective 

• The scope of NASA’s challenge 

• Systemic solutions 







NASA as a symbol of National Excellence 



• Prestige - NASA is seen by the world as a symbol of US 
economic, scientific and technical excellence and superiority. 


• Ideals - NASA’s missions, facilities and vehicles are visual 
representations of many of the United States’ ideals and unique 
place as a champion of freedom and opportunity in the world. 

• Economic Power - NASA’s engineering and technology (along 
with NASA’s commercial and academic partners) represent the 
produce of some of the best and brightest minds in the world - 
who have been working with significant national resources to 
back their research. 

• NASA’s accomplishments also draw negative attention 

- Terrorism - Attack in the most visible, publicly disturbing 
way possible. 

- Espionage - US technology is sought after by the rest of 
the world. US aerospace, computing and cutting-edge 
engineering is a vital resource that others want to capture 
and exploit. 

- Suspicion - Many nations (and non-state actors) view all 
US Government organizations as part of the US military or 
US intelligence community. This can lead them to see 
NASA as an extension of the military. 






What the world thinks we do... 




NASA as Starfleet? 

• High technology 

• Leading civilization (UN?) 

• Military / Science combined 


33,y 

.* 

V 


^ a ^ m 

• a: 


• V; 

\ . .. 

• • 


• • • # | • 



Aerospace Espionage in the “Bad Old Days” 






Chance? No, Cyber. 


“When U.S. space shuttles started linking up with 
Russia's Mir space station in 1995, both sides owed a 
small debt to the old Soviet secret police, the KGB. 

According to documents obtained by NBC News, it 
was the KGB that successfully stole the U.S. shuttle 
design in the 70s and '80s. ” 


The key in terms of the shuttle program was “overt 
collection” and specifically the use of commercial 
databases . In effect, the massive effort directed at the 
U.S. space shuttle program was among the first cases 
of Internet espionage , if not the first case. With all the 
critical documents online, it was left to the VPK, under 
the auspices of the KGB, to gather it all up and then 
circulate it to those in the space program who needed it. 


jj 



Source: “How the Soviets Stole a Space Shuttle”, NBC News, Nov. 4, 1997 




From the mid-1970s through the early 
1980s, NASA documents and NASA- 
funded contractor studies provided the 
Soviets with their most important 
source of unclassified material in the 
aerospace area. 

- CIA Analysis, 1985 






What HAS Changed? 

The NASA Cyber Environment: Operations 







• Today’s space operations involves interconnection of multiple 
facilities, control centers, engineering organizations and science 
centers to accomplish the mission. 

- Many connections in and out of critical systems 

- Many organizations and individuals (students, foreign partners, 
commercial entities, other government agencies, etc.) 

• Control infrastructure is (only) highly specialized applications and 
databases running on top of IT infrastructure. 

• The challenge to cyber security in operations: NASA must do two 
(often opposed) things well: 

1. Secure and protect the critical mission control / mission 
support infrastructure and systems to ensure safe, 
successful mission operations, protection of sensitive data, 
and assured space flight capability. 

2. Open up the critical mission control / mission support 
infrastructure to partners, collaborators and the “public” to 
perform the science and outreach missions with which the 
Agency is chartered. 






What HAS Changed? 

The NASA Cyber Environment: Communications 



• “Classic” space communications systems and 
architectures were very independent and stove- 
piped. 

• Today’s architectures are 

- Increasingly interconnected (multiple control 
centers, flight systems, ground stations) 

- Increasingly interoperable and shared 
(international partnerships) 

- Relying on modern network techniques and 
technologies to enable advanced mission 
concepts (eg. Mars Network) 




Massive improvements have also changed how we need 
to look at space communications in terms of assurance 
of communications: 

• Confidentiality of the information 

• Integrity of the information 

• Availability of the capability to communicate 

Need to consider the effects of interconnectedness 


and the vulnerabilities that networked systems 
create. 




What HAS Changed? 

The NASA Cyber Environment: Research / Engineering 







NASA’s research and engineering 
represents some of the greatest investment 
made by the US in cutting edge technology. 

NASA research is conducted at 

- NASA Centers 

- Universities 

- NASA Contractor partners 

- NASA’s international partners 

While NASA’s data is not classified, it often 
contains highly sensitive and proprietary 
information that would certainly benefit 
companies and countries with less 
advanced technology, science and 
engineering ability. 

NASA’s research and engineering 

- Databases and information 
repositories 

- Advanced modeling and simulation 
capabilities 

- Supercomputing (both capability and 
technology) 



THE TOP THREE SUPERCOMPUTERS 


SYSTEM 

APPLICATIONS 

BUILDER 

ARCHITECTURE 

PERFORMANCE 

(teraflops) 

COST 

(US$.niliore) 

Blue Gcnc/L * 

Lawrence 
Livermore 
National 
Laboratory, 
Livermore, Calif. 

Materials science, 
nuclear stockpile 
simulations 

IBM 

32 768 processors: 
8 terabytes 
of memory: 

28 terabytes of disk 
storage: Linux and 
custom operating 
system 

70.72 

100 

Columbia 

NASA Ames 
Research Center, 
Moffett Field, 
Calif. 

Aerospace 
engineering, 
simulation of 
space missions, 
climate research 

SGI 

10 240 processors: 
20 terabytes 
of memory: 

440 terabytes of 
disk storage: Linux 
operating system 

51.87 

50 

Earth Simulator 

Earth Simulator 
Center, 
Yokohama, 
Japan 

Atmospheric, 
oceanic, and earth 
sciences 

NEC 

5 120 processors: 

10 terabytes 
of memory: 

700 terabytes of disk 
storage: Unix-based 
ope rating system 

35.86 

350-500" 


SOURCE: TopSOO list (November 2004) and companies * Current configuration ** Industry estimate 



















What HAS Changed? 

Organization - Separation of Mission and Institution 


Programs & Mission Systems... Go Fly. Do the exploration. Bring back the science. 



• Personnel Security 

• Perimeter (Physical) 


Office Aut< 
IT Support 


• Utilities 

• Buildings 


Logistics 
HR/Payroll, etc. 
Communications 


Security 


Information 


Secure Network 
Capabilities 


Development and 
Hosting 

• Institutional IT 
Security 


Security Services 


IT Services 







The Threat to NASA (and US Aerospace) Today 








NASA’s architectures are now incredibly intertwined and 
networked. It is no longer possible to accomplish 
NASA’s mission using standalone communications 
and command / control architectures. 


TAKEOUT 


Nation States take advantage of this 

- Motivated by national objectives 

- Economic / Military Advantage 

- Political / Diplomatic calculations 

- Cyber-espionage is a main aim 
Cyber-Terrorists take advantage of tl 

- Politically motivated 

- Seek high degree of visibility 

- Aim is severe disruption 
Hacktivists take advantage of this 

- Motivated by “social consciousne 

- Generally non-destructive 
Old School Hackers take advantage of this 

- Building “cred” 

- Hacking to test skills / for the challenge 



cotsjfotsjtsat'oroi'OCNStssesatcto 


... And NASA Has Been Hacked (Repeatedly) 


onnesso a 137,78*232.95. 



Jet Propulsion Laboratory 

* "...NASA's status as a "target rich" environment for cyber 
attacks..." 


mputer ii 
ty the Ca! 
S . Gouen 
i to acce; 


"In 2010 and 2011, NASA reported 5,408 computer security 
incidents that resulted in the installation of malicious software 
on or unauthorized access to its systems. These incidents 


e exp 1 spanned a wide continuum from individuals testing their skill to 

it' keysti'(| 1 

break into NASA systems, to well-organized criminal enterprises 
hacking for profit, to intrusions that may have been sponsored 
by foreign intelligence services seeking to further their 
countries' objectives." 


"these intrusions have affected thousands of NASA computers, 
caused significant disruption to mission operations, and resulted 
in the theft of export-controlled and otherwise sensitive data" 


NASA Inspector General Paul Martin, Testimony before the US 
House of Representatives, February 29, 2012 




Solutions NASA DOESN’T have.. 


]f}U&eK-e£fe THepenveifiar *'/*// 

( 


WWW.Ca9lKMtOOfft.com 






So what solutions can NASA use? 


Challenge Spaces: 

1. NASA must look across Programs, Missions & Domains 

2. Adversaries are looking at all avenues to get to targets 

3. NASA’s systems, programs and missions represent the 
“Crown Jewels” of the United States in terms of 
technology, national power and international prestige. 

4. New programs = New technology = New “Targets” 

5. Opening the “partner space” introduces huge 
opportunities ...for both advancement and vulnerability 


Solution Spaces: 

1 . Understand the Environment 

2. Collaboration & Communities 

3. Ensure rigorous processes and 
methods to produce information for 
decision makers. 

4. Ensure common standards / training 
and language across practitioners. 





Aeronautics 
Research & 
Cutting-Edge 
Engineering / 
Technology 


Commercial 
Crew & 
Cargo Supply 


14 




Organizational Challenges to Addressing Cyber 



NASA’s culture 

• “Failure is not an option.” 

• “We are an open, science organization...” 

• “The world loves us!” 

• “Mission” is separate from “Institutional” 

NASA’s mainstream experience base 

• Limited expertise in advanced networks (from an IT perspective) 

• Very limited experience in malicious threat and harm mitigation 

• An “IT centric” approach to Cyber fails to work in NASA’s domain 

- It is not enough to “follow the FIPS or SANS playbooks”. They 
simply don’t marry well to the one-off space systems 
environment 

• NASA’s expertise is in systems engineering and mission operations 
which takes work to translate to Information Assurance 

NASA’s management approach 

• Program management knobs: Cost, Schedule, Performance 

• Security (Information Assurance, Counter-space) are “black arts” 

- A “security expert” participates in reviews and levies additional, 
unfunded requirements without explaining why 

• Security is poorly understood as a technical engineering and 
operations discipline 



INFORMATION SECURITY 




The Scope 

Requires Vertical and Horizontal Collaboration 


NASA 








JcW' 


FAA 

NOAA ' 
NASA 
State 

*. Civil Space Community 

Academia 


Industry 


Intelligence Community 
Defense Space 
STRATCOM / CYBERCOM 


National Security 
Space Community 


0 ^ e 


OCIO 

OCE 

S&MA 


NASA 


DHS/CYBERCOM 
National Defense Universtiy 
SATERN / APPEL Integration 


Common Curriculum 


q 




Program / Project 
Management 

Operations Management 
(Flight ! Control; 

IT Operations Teams 


NASA Knowledge Transfer 


y* 


Partnership 


oV SSE / RA/VA Capability 

\ 


Assessment 
Planning 
Mitigation 
Analysis 

International Space Station 
SCAN 

Orion / MPCV 

ESD 


Program Protection ■ 
! RA'VA 


O/ 

Programs 


Technology 


Comprehensive Mission Security 


Community 


Policy 


\ 




Engineering Mission Network Engineering 

Advanced Persistent Threat Mitigation 
Continuous Monitoring 


National Space 
INFOSEC Steering 
Council 

Committee for 
Space Data 
Systems (CCSDS) 

Committee on 
National Security 
Systems (CNSS) 


Commercial 


SLS 

Ground Systems / LCC21 
AES 

Mission Analogs 
Space-X 
Orbital 
Blue Origins 


Bigelow 
Virgin Galactic 
Sierra Nevada 


CNSSP-12 

CNSSI-1253 


Active Defense 


Real-Time Collaborative Arrangements 
Real-Time Operations Insight 


Mission Network Operations 


Federal IT / 
INFOSEC Policy 

Civil Space INFOSEC 


FIPS-800-53 

FISMA 

NIST 

DHS/DOC 






& 





How can we meet the challenge? 
Communities. Capabilities. Practices. 



Capability to Assess, Inform, Respond, and Protect Missions, Technology, Systems and Crew 



◄ Share Knowledge 

◄ Develop 
Collaborative 
Relationships 

◄ Cross-Train 


◄ Bring together 
diverse discipline, 
experience and 
expertise. 

◄ “None of us is as 
smart as all of us” 



◄ Assess threats. 

◄ Identify 
vulnerabilities. 

◄ Identify risk. 

◄ Evaluate 
mitigations. 

◄ Provide insight to 
decision makers. 



◄ Provide methods and 
techniques to quantify. 

◄ Leverage NASA system 
engineering discipline 
excellence to new 
domain. 


◄ Provide rigor to ensure 
thorough identification, 
analysis and assessment. 

◄ Leverage “best of breed” 
techniques for 
architecture analysis and 
assessment. 


Collaborative Communication and Analysis Tools 


17 




Applying Rigor - System Security Engineering 
Reconsidering how NASA does security risk management 


rx 

NASA 


S-fiand: 

TRK, Cmd. and HKTlm 



Ground Site 92 

( nsa 'n 

Ground System 
(Including Short-Term 
'vS-Band Data Storagejy 


External 

Tracking Station 


S-Band: 

UK Tim, TRK Data 


Same Interfaces 
as Prime Ground Site 


Acquisition 

Data 

Cmd 



( $T5nd ' 

Ground System 
(Including Snort-Term 
. S-8and Data Storage}/ 

^ 1 Acquisition Data 

^ ! Station Control 

Observatory Housekeeping Telemetry v 

I Ka-Band 
1 Ground System 

• Tracking Data 

I ! Station Status 


Mission Operations G 


Telemetry and 
Command System 

ASIST/FEDS 
Telemetry Monitoring 
Command Management 
HK Data Archival 
HK Level-0 Processing 


Fit 

Orbit D< 


Ascent Into 
Orbit Injection 


Checkout 
and Deploy 


3.0 

4.0 

Transfer to 
OPS Orbit 

Perform 
"* Mission 

Operations 





5.0 

Contingency 









6.0 


7.0 


8.0 

Transfer to 
STS Orbit 


Retrieve 

Spacecraft 


Reenter and 
Land 


SECOND LEVEL 



4.1 


4.2 



Provide 
Electric Power 


Provide 

Attitude 

Stabilization 



Through Operations 
Concept Modeling 


:nce Data J" 

5 Mbps^| nstr y^ en ^f ^Inst 

u 


From System and 
Mission Architecture 

T 



What systems and elements are needed for the mission? 
What capabilities must be available / provided AND WHEN? 
How can a failure happen (or be caused to happen?) 

• What would an adversary WANT to have happen? 

• What is the likelihood they would try? 

• What is the likelihood they would succeed? 








How do we measure how well we have engaged? 
Security Risk Assessment Methodology 



Similar to process in 
NPR 8705.5A, ICD503 
and other USG policies 
and to traditional PRA 
approaches. 



Develop Security 
Threat Model 

Construct a Security 
Threat Model for the 
mission / system that 

focuses solely on 
Intentional and willful 
efforts to attack and 
exploit 


Analysis of fault trees and 
fault branches, quantification 
of P(x) using “all source” 
information. 



Perform 
Quantitative 
Assessment of Risk 

Shift away from a Subjective 
assessment 

Transition to a Qualitative 
and then Quantitative 
approach. 

Assess risk (i.e. Harm Value) 
as ranked to prioritized 
Consequence Values for the 
mission or system. 


Determine End-to-End 
Security Risk 
Components 

What are the Vulnerabilities? 

What are the most probable 
Consequences? 

Who are the Adversaries to 
evaluate? 

What are the Harm Values (i.e. 
Assessed Risks) derived from the 
Probability of Success (by an 
Adversary(s)) standpoint? 



Identify Mitigations 
and Evaluate Residual 
Risk Posture 

What mitigations are 
available (technical, 
operational, programmatic)? 

How secure can we hope to 
be? 

What do we lose from other 
system goals? (cost / 
schedule/ performance 
trade)? 

When have we spent enough 
on security? 

What is the remaining 
residual risk posture? Is it 
acceptable? 


19 



Tying it Together - The View Ahead 





1. 

2 . 




Address integrated threat and risk mitigation 
activities throughout the life cycle of the project 
/ program. 

Apply System Engineering rigor to the process 
of Security Risk management. 

Build and maintain strong Communities of 
Practice and use the collaboration and insight 
they provide. 

Iterative approach that constantly integrates 
new information and intelligence, refines the 
threat model, and evaluates emerging and 
evolving threat conditions against system and 
operations vulnerabilities. 

Integrate stakeholders and experts to provide: 

Quantitative risk / benefit information for use by key 
decision makers. 


Quantitative analysis of threat and vulnerability to 
probable aggressor actions to inform operations to 
enhance safety, information protection and mission 
success. 


Without SSE 


DC — 


-Q 


SSE 


Acceptable 
Risk Threshold 


resources expended 
(time, money) 


bervim 

Motfuie 

-I- 




Dfmct Entry 
Land Landing ^ 


Softie Crew and 
Cargo DRhi 

100-fcm 
Law Lu 


3. Meaningful, actionable information across the 
community. 


20 



Contact Info 


Jason A. Soloff 

NASA Lyndon B. Johnson Space Center 

Human Exploration Development Support Office (Code Yl) 

Houston, TX 77058 

jason.a.soloff@nasa.gov 

(281)483-3554 




